You can use your own TLS certificate (with a domain such as
company.com) to access your Orka environment instead of the custom Orka domain (such as
company.orka.app) and instead of the default Orka endpoints (
Custom TLS certificates provide an additional level of security and compliance. They require access via HTTPS.
Before you begin, you must have your own certificate and private key file that meet the following requirements:
- Both files are in PEM format.
- The certificate can be a bundle that contains your server, intermediates, and root certificates concatenated (in the proper order) into one file. The necessary certificates must be enabled as trusted certificates on the clients that connect to the cluster.
- The private key is not passphrase protected.
Orka allows you to use any of the following TLS certificates:
- Single domain TLS certificate with a domain name such as
- Multi-domain TLS certificate with domain names such as
- Wildcard TLS certificate with a domain name such as
The asterisk (
*) must be in the leftmost position of the domain name. It is impossible to use a double wildcard certificate for a domain (for example,
- Connect to your cluster via VPN. For more information, see VPN Connection.
- Make sure you generate your own custom TLS certificate and private key.
- Ensure you have the Orka license key available in your IP Plan.
- Send a POST request to
keyPathfiles attached in the request. Replace the
<full-path-to-the-private-key>placeholders as needed.
curl -X POST 'http://<orka-api-url>/resources/cert/set' \ --header 'Content-Type: multipart/form-data' \ --header 'Authorization: Bearer <token>' \ --header 'orka-licensekey: <license key>' \ --form '[email protected]<full-path-to-the-certificate>' \ --form '[email protected]<full-path-to-the-private-key>'
- Add an
A/AAAArecord in your DNS settings that map your custom domain name to the Orka ingress IP address.
What's the Orka ingress IP address?
The Orka ingress IP address is the
.241address for the
Private-1network from your IP Plan. For example:
- For the Orka API, change your API requests to target
- For the Orka CLI, run
orka configand change the URL setting to
- For the Orka Web UI, open
https://<your-custom-domain>in your browser.
- For CI/CD integrations, switch to
https://<your-custom-domain>in the respective plugin configuration.
You need to use https with your custom TLS domain.
- Generate a self-signed TLS certificate by running
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesand following the prompts
- Upload the self-signed certificate to the Orka server using the steps here
- Ensure the self-signed TLS certificate is trusted according to your configuration.
- For the requests to the Orka API, trust the certificate on your local system.
- For the Orka CLI, run
export NODE_EXTRA_CA_CERTS=<path-to-your-self-signed-certificate>and then run
- For the Orka Web UI, add the certificate to the trusted store of your browser.
- You cannot use Orka app domain together with a custom TLS certificate.
- You cannot use more than one custom TLS certificate at the same time.
- You can use a custom TLS certificate only if your environment is updated to Orka 1.5.0 or later.
Updated about 1 year ago